SysCP is a server management application, similar to the popular Confixx and CPanel products - but open source. It is deployed by several large german hosting and co-location companies and can be used for complete server admin- istration, including web and database, FTP and mail servers, reseller access and more. With the PHP configuration flag "register_globals On" (which is still the case for a large installation base), a number of variables can be injected, leading to the execution of arbitrary remote code, which can also be inclu- ded from a remote server. This can lead to backdooring of the server in question. SysCP needs the MySQL root password to perform some of its functionality, so attackers can very easily obtain this critical information from SysCP's con- figuration file.

Details:

During a rough scan through the SysCP source code, we found two possibili- ties to inject global variables via GET - experience shows that probably more occurances exist. The first of these holes allows direct inclusion of remote PHP code with just one GET parameter. By setting the language to any value not existant in the SysCP installation, inclusion of a language file can be forced - there are no checks if the included file was actually user-supplied. The second vulnerability allows passing curly brackets to SysCP's internal template engine which then eval()s this expression. A string like {${phpinfo();}} would then be evaluated to the phpinfo() function, which would subsequently be executed.

Proof of Concept:

Due to the sensitive nature of the vulnerability, the Hardened PHP Project is not going to release a proof of concept to the public.